1
00:00:00,100 --> 00:00:04,850
- Hello all and welcome to the Android
Security and Exploitation training series

2
00:00:04,850 --> 00:00:09,580
by Pentester Academy. My name is Aditya
and I'm your course instructor for this

3
00:00:09,580 --> 00:00:13,000
particular video training series. You're
watching this video on

4
00:00:13,100 --> 00:00:17,210
PentesterAcademy.com and if you
want to go for the certifications you can

5
00:00:17,210 --> 00:00:23,380
go to securitytube-training.com. So
in the previous few videos, we had look at

6
00:00:23,380 --> 00:00:27,130
Drozer and how you can use Drozer to
exploit vulnerabilities in the content

7
00:00:27,130 --> 00:00:33,110
providers. Now in this particular video,
we are going to have an application called

8
00:00:33,110 --> 00:00:38,420
CSIP Simple, which looks quite secure in
the start. But if you look deeper into the

9
00:00:38,420 --> 00:00:43,820
application, you will see the
vulnerabilities. Now this application uses

10
00:00:43,820 --> 00:00:48,800
custom permissions to protect the content
providers from being exploited. Now, what

11
00:00:48,800 --> 00:00:55,150
this actually means is an application can
define their own permissions and use it to

12
00:00:55,150 --> 00:01:00,080
prevent the content providers from being
queried by another application. Now, one

13
00:01:00,080 --> 00:01:03,970
of the things which developers often miss
in this particular scenario is whenever

14
00:01:03,970 --> 00:01:08,090
you are defining a custom permission make
sure the permissions are also protected by

15
00:01:08,090 --> 00:01:13,070
signature. That means whenever you're
protecting a content provider the Android

16
00:01:13,070 --> 00:01:19,560
checks for both the permission as well as
the signature of the application. Now,

17
00:01:19,560 --> 00:01:25,940
there could be one of the thing that could
happen in this scenario is we can have

18
00:01:25,940 --> 00:01:30,120
Drozer ask for the same set of permissions
and then exploit the vulnerable content

19
00:01:30,120 --> 00:01:34,720
providers. Now, this vulnerability was
discovered by Joshua Drake, in his book

20
00:01:34,720 --> 00:01:38,550
the Android Hackers Handbook which is a
really interesting read if you want to

21
00:01:38,550 --> 00:01:42,920
look deep into the Android security
and internals. Let's jump into this

22
00:01:42,920 --> 00:01:49,390
vulnerability. So I have got Santoku
running and I'll go to

23
00:01:49,390 --> 00:02:00,080
Downloads/training/vulnapps/ and let's
make a folder CSIPSimple, and we see

24
00:02:00,080 --> 00:02:13,380
CSipSimple.apk to CSIPSimple. Here I have
the CSipSimple.apk and it's also installed

25
00:02:13,380 --> 00:02:23,880
on my device here. And one of the things I
have set over here is the outgoing

26
00:02:23,880 --> 00:02:29,500
Filters. These are the two outgoing
filters rule which I have written and I

27
00:02:29,500 --> 00:02:37,650
will now try to query them using Drozer.
So let's start up Drozer and let's see if

28
00:02:37,650 --> 00:02:44,080
we can query this particular one. Before
that, let's install a new version of

29
00:02:44,080 --> 00:02:51,880
Drozer, which is a fresh installation of
Drozer. So let's uninstall the previous

30
00:02:51,880 --> 00:03:06,388
one com.mwr.dz and look for agent.apk.
Install. /home/adi/Downloads/agent.apk .

31
00:03:06,388 --> 00:03:16,872
So, the new Drozer has been installed and
I can start up the new Drozer. So the

32
00:03:16,872 --> 00:03:22,033
first thing is I will look for the package
name of CSIP Simple. So, in order to look

33
00:03:22,033 --> 00:03:31,215
for the package name, you can do
app.package.list -f csipsimple. So, this

34
00:03:31,215 --> 00:03:36,153
will give me the package name of the
applications CSIP Simple. Another way to

35
00:03:36,153 --> 00:03:41,252
look for the package name is you can just
do a quick adb shell ps and it will show

36
00:03:41,252 --> 00:03:44,670
you a list of all the running processes
and you can grab the package name from

37
00:03:44,670 --> 00:03:56,560
there. So, adb shell ps grep -I csip. So,
here you get the package name, also in the

38
00:03:56,560 --> 00:04:01,960
meanwhile Drozer also found it. Once we
have the package name, now we can go ahead

39
00:04:01,960 --> 00:04:07,278
and find out the content providers URIs
for this particular application. So we can

40
00:04:07,278 --> 00:04:15,202
do run app.provider.finduri and parse in
the package name. So this will list down

41
00:04:15,202 --> 00:04:20,809
all the different content URIs which the
application has. Now, this is the list of

42
00:04:20,809 --> 00:04:27,615
all the different content URIs and we can
select any of them and try to query them.

43
00:04:27,615 --> 00:04:34,015
So in this case, let's go for outgoing
filters`because we have set up a few

44
00:04:34,015 --> 00:04:43,869
outgoing filters which we'd like to query.
I can do run app.provider.query and it

45
00:04:43,869 --> 00:04:48,863
shows me an error which says permission
denial because in order to open this

46
00:04:48,863 --> 00:04:53,332
particular content provider or the
database, it needs this particular

47
00:04:53,332 --> 00:05:04,223
permission. Interesting. So what we can do
here is, we can decompile the CSIP Simple

48
00:05:04,223 --> 00:05:12,410
application. And look into how it's asking
for permissions. Vulnerable applications,

49
00:05:12,410 --> 00:05:23,100
CSIP Simple. Here we have the CSIPSimple
apk. So apktool d and then CSIPSimple.apk.

50
00:05:31,772 --> 00:05:39,534
The application is now decompiled and if
you go inside the applications decompiled

51
00:05:39,534 --> 00:05:45,223
folder and look into the
AndroidManifest.xml, you'll see that there

52
00:05:45,223 --> 00:05:49,549
is a permission uses which looks something
different from the normal Android

53
00:05:49,549 --> 00:05:53,004
permissions. So this says
android.permission. CONFIGURE_SIP and

54
00:05:53,004 --> 00:05:56,810
there's another permission
android.permission. USE_SIP. If you'll

55
00:05:56,810 --> 00:06:05,110
look down there's also the permission
declaration over here. So what we can do

56
00:06:05,110 --> 00:06:10,780
here is we can simply copy these
permissions to the Drozer's

57
00:06:10,780 --> 00:06:16,040
AndroidManifest.xml and recompiled Drozer
and then try out the same query with the

58
00:06:16,040 --> 00:06:28,480
new compiled Drozer. Let's do that. So
here we are. Let's open this in leafpad so

59
00:06:28,480 --> 00:06:36,502
it's easy for us to copy and paste.
Leafpad CSIP AndroidMainfest.xml. Put it

60
00:06:36,502 --> 00:06:45,080
in the background and also let's copy the
agent.apk which is a Drozer application.

61
00:06:45,080 --> 00:07:01,710
So apk tool d agent.apk. And also open up
Drozer's AndroidManifest.xml. Now we have

62
00:07:01,710 --> 00:07:10,130
the two AndroidManifest.xml opened with
us. So all we need to do is simply copy

63
00:07:10,130 --> 00:07:17,440
the permission declaration and the uses
from csipsimple AndroidManifest.xml to the

64
00:07:17,440 --> 00:07:29,470
Drozer's AndroidManifest.xml. We'll copy
this over here and also copy the uses.

65
00:07:29,470 --> 00:07:37,380
These two lines. So paste it over here. It
looks like everything is done. There's

66
00:07:37,380 --> 00:07:43,480
just one small thing missing over here.
This is our agent's AndroidManifest.xml

67
00:07:43,480 --> 00:07:48,950
and if you look here like android:label,
this is not a regular hard coded string.

68
00:07:48,950 --> 00:07:55,390
This is actually a reference to a file
strings.xml and a string which has a tag

69
00:07:55,390 --> 00:08:01,240
permlab_useSip and the same for
permlab_configureSip, and

70
00:08:05,521 --> 00:08:10,410
pemdesc_configureSip, permdesc_use. So
these are the four tags which we have to

71
00:08:10,410 --> 00:08:18,036
copy from the strings.xml of csipsimple to
the Drozer's string.xml. Let's save this

72
00:08:18,036 --> 00:08:31,547
particular file and close it. Close that.
Now let's open the strings.xml for both

73
00:08:31,547 --> 00:08:41,543
the files. So
CSipSimple/res/values/strings.xml and

74
00:08:41,543 --> 00:08:52,920
similarly for Drozer,
agent/res/values/strings.xml. We'll copy

75
00:08:52,920 --> 00:09:00,844
from the CSipSimple's strings.xml to the
Drozer' strings.xml. So you can paste

76
00:09:00,844 --> 00:09:07,671
any way you like in the strings.xml. You
can just save it. Close. Now we have the

77
00:09:07,671 --> 00:09:16,325
agent modified and now we can recompile it
into a new Drozer's agent. You can simply

78
00:09:16,325 --> 00:09:27,317
use apktool, b for build and then agent -o
let's say newagent.apk. I will compile

79
00:09:27,317 --> 00:09:31,279
the newagent.apk with the additional
permissions which we have just now given.

80
00:09:31,279 --> 00:09:39,304
Let's wait for it to get compiled. So now
it has been compiled and the only thing

81
00:09:39,304 --> 00:09:48,427
left is to sign the newagent.apk. Let's
copy the certificate from Downloads, CTF,

82
00:09:48,427 --> 00:09:59,784
cocon, my keystore. Let's copy the
signing.txt.

83
00:10:09,100 --> 00:10:19,301
This is the newagent.apk and the password
is android. Invalid keystroke format.

84
00:10:24,860 --> 00:10:50,500
Okay.my-release-key.keystore. Cat
signing.txt, newagent.apk. Okay. So let's

85
00:10:50,500 --> 00:10:59,350
do one thing, let's copy this newagent.apk
to the location where the cocon exists

86
00:10:59,350 --> 00:11:13,760
training/CTF/cocon. Go to that location
CTF/cocon. So here we have the

87
00:11:13,760 --> 00:11:20,840
signing.txt. You can change it to
newagent.apk as that is our application

88
00:11:20,840 --> 00:11:29,680
name. Save it, cat signing.txt, password
is android and it again says Invalid

89
00:11:29,680 --> 00:11:43,980
keystore format. Now this is an
interesting error because... Okay, so this

90
00:11:43,980 --> 00:11:51,860
is because the my-release-key.keystore is
not a valid one. So let's look for

91
00:11:51,860 --> 00:12:02,184
where else this is present and we can copy
this in there. So let's copy this one from

92
00:12:02,184 --> 00:12:13,690
here. So there was an issue with the
keystore because it accidently got mixed

93
00:12:13,690 --> 00:12:19,520
but with the correct keystore, it works
and the application is now signed. So now

94
00:12:19,520 --> 00:12:26,330
we can install the application and before
that we'll uninstall the previous one.

95
00:12:26,330 --> 00:12:37,090
Install agent new agent.apk. And here we
can start up Drozer again with the new

96
00:12:37,090 --> 00:12:43,990
agent.apk. In the earlier case, we were
getting a permission denial message. So

97
00:12:43,990 --> 00:12:53,340
let's try the same content provider query
with this one, - - vertical. Okay, so now

98
00:12:53,340 --> 00:12:58,300
it works. This is how we have bypassed the
permission protection of the content

99
00:12:58,300 --> 00:13:03,980
provider because it wasn't protected along
with the signature. So this is some of the

100
00:13:03,980 --> 00:13:06,620
vulnerable implementation of security
which you'll see with the content

101
00:13:06,620 --> 00:13:10,750
providers. Now we can play around with a
lot many different applications, you can

102
00:13:10,750 --> 00:13:14,250
see into how they are protecting the
application and you can figure out a way

103
00:13:14,250 --> 00:13:19,740
to bypass it. So that's all for this
video. I hope you enjoyed it and if you

104
00:13:19,740 --> 00:13:24,490
have any more feedback or queries, feel
free to reach out to me at adi@attify.com

105
00:13:24,490 --> 00:13:30,000
or you can tweet me @adi1391. Thanks a
lot.